[BUG] `--legacy-peer-deps` doesn't work for `npm audit fix`

VTrngNghia commented 2 years ago

Is there an existing issue for this?

[X] I have searched the existing issues

This issue exists in the latest npm version

[X] I am using the latest npm

Current Behavior

As per npm-audit documentations, I'd expect flag --legacy-peer-deps to work with npm audit fix. It does not.

... since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install -- so things like npm audit fix --package-lock-only will work as expected.

Expected Behavior

Flag --legacy-peer-deps should work with npm audit fix

Steps To Reproduce

I ran npm audit fix and encountered this error

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: my-package-name@1.2.3
npm ERR! Found: react-scripts@5.0.1
npm ERR! node_modules/react-scripts
npm ERR!   react-scripts@"^5.0.1" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer react-scripts@"^4.0.0" from @craco/craco@6.4.3
npm ERR! node_modules/@craco/craco
npm ERR!   @craco/craco@"^6.1.2" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.

I ran again with npm audit fix --legacy-peer-deps to no effect. The error was exactly the same.

Environment

npm: 8.11.0
Node.js: 16.15.0
OS Name: MacOS 12.3.1
System Model Name: MacBook Air M1 (2020)

npm config:


; "user" config from /Users/nghiavt/.npmrc

@fortawesome:registry = "https://npm.fontawesome.com/" //npm.fontawesome.com/:_authToken = (protected) registry = "https://registry.npmjs.org/"

; node bin location = /Users/nghiavt/.nvm/versions/node/v16.15.0/bin/node ; node version = v16.15.0 ; npm local prefix = /Users/nghiavt/Projects/(protected) ; npm version = 8.11.0 ; cwd = /Users/nghiavt/Projects/(protected) ; HOME = /Users/nghiavt ; Run npm config ls -l to show all defaults.```

J3m5 commented 2 years ago

I have this problem as well. Is there a workaround?

ihor-panasiuk95 commented 1 year ago

I also have this issue. Would be nice to have ability to set --legacy-peer-deps flag for npm audit fix --package-lock-only. We should be able to fix audit issue only related to package-lock. If I run npm audit fix --package-lock-only --force it seems to ignore --package-lock-only and updates both package.json and package-lock.json and introduces breaking changes.

siemhesda commented 9 months ago

Hi @VTrngNghia , Could you please provide actual steps and a package.json sample

npm / cli